Researchers have discovered a gaping hole in popular remote access system Apache Guacamole that puts thousands of companies with remote employees at risk. The flaw could allow attackers to control the software and the computers that connect to it. Luckily, there is a patch available.
With large numbers of employees now working from home, remote access systems that let users control computers in the office from their home machines are increasingly popular. One free version is the open source software Apache Guacamole.
Provided by the open source Apache Software Foundation, Guacamole is a gateway that enables remote clients to connect from a browser via various protocols, including Microsoft’s Remote Desktop Protocol (RDP). It is a popular product, with over 10 million downloads of its docker container.
Researchers at Check Point began evaluating this software in mid-February as the company prepared to transfer over 5,000 employees to remote work during the early stages of the pandemic. They quickly found problems with the open source gateway. If it connects to a compromised computer inside the network, attackers can use that machine to take control of the entire gateway with potentially disastrous results, they warned.
“Once in control of the gateway, an attacker can eavesdrop on all incoming sessions, record all the credentials used, and even start new sessions to control the rest of the computers within the organization,” said the researchers in their report. “When most of the organization is working remotely, this foothold is equivalent to gaining full control over the entire organizational network.”
They found several critical reverse RDP vulnerabilities that the destination machine could use to control the gateway, along with new vulnerabilities in FreeRDP, which is Apache’s free implementation of the proprietary RDP.
Between them, these vulnerabilities allow for Heartbleed-style information disclosure along with memory corruption. Chaining these together created arbitrary read and write capabilities on the gateway. The researchers then used a privilege elevation attack to gain control of the system.
They disclosed these vulnerabilities to Apache at the end of March, and it silently patched them on May 8 in an update to its GitHub repository. It then released an official patched version (1.2.0) on June 28.
The researchers note that all versions of Guacamole released before January 2020 are using vulnerable versions of FreeRDP, so it is important to patch now.